The Digital Personal Data Protection Bill, 2023 (“Bill”) tabled before the Lok Sabha on August 3, 2023 is the end of an almost decade-long road for evolving a general data protection regime specific for India.
By withdrawing the elaborate, prescriptive draft before Parliament until 2021; proposing a new, lean, principle-based draft for consultation; and then engaging an extensive consultation process which reportedly involved more than 20,000 submissions and several dozen discussions involving personal participation at the highest levels, the ministry has sought to find a balance between protecting citizens’ rights and enabling ease of doing business, which has proved elusive globally. As a concise document written in simple language with several illustrations, the Bill stays away from a dense and prescriptive approach and instead, sets broad ground rules.
Essentially, entities (or data fiduciaries) can largely collect, store, or other make use of (or process) data only by taking clear, informed consent for specified purposes. Thereafter, that data can only be processed for these purposes, and retained only till such time and used in such manner, as is necessary for the purpose it was collected for. To ensure this, individuals have been given several rights in relation to their data, including the right to know what data is held by fiduciaries, what they do with it, and who they share it with. Users can also seek correction and erasure of their data and raise grievances. Where they are unhappy, they can approach a new Data Protection Board, which has the ability to hand down heavy fines, give directions, and for repeat offenders, seek a ban.
There is no longer a deemed consent provision. Instead, the Bill allows data to be processed without consent for some types of legitimate use. These include processing data which has been submitted voluntarily, processing employee data to safeguard the employer, processing the data of debtors, and processing by the state to provide benefits and services. While this will not require consent, it still has to be compliant with other conditions. The processing of data for personal or domestic purposes or data which has been made public by the individual falls entirely outside the ambit of the Bill. The Bill will regulate all entities in India and entities outside India who offer goods and services in India, but proposes a broad “outsourcing exception” for data relating to persons outside India which is being processed in India.
Depending on various criteria including amount and nature of data that entities process and their impact, fiduciaries can be classified as ‘significant’ and will be subject to higher compliance obligations including resident data protection officers, audits and impact assessments.
To process the data of children, entities will (largely) need to take consent from their parents or guardians. They are restricted from targeting children or processing their data in manner which may be detrimental. The Bill does leave the door open for certain exceptions which may prove useful and allow for a graded approach in line with international standards.
In a very significant change, fiduciaries now have the ability to freely transfer personal data outside India except to countries which are restricted. However, sector restrictions (for example, those relating to payment data) will continue to apply, notwithstanding this specific relaxation.
The Data Protection Board, empowered to hear complaints, has the power to direct urgent or remedial mitigation measures in the event of a personal data breach and impose fines which may extend to `250 crore. Significantly, for repeat offenders, based on the recommendations of the board, the central government can impose a ban on them.
India’s current general data protection regime under the Information Technology Act, 2000 and the SPDI Rules is antiquated, poorly enforced, and followed more in breach than in observance by the majority of businesses. As a result, general perception is that data is an asset and more of it is better. This means entities in India tend to have large volumes of heterogenous, unstructured, and inconsistently-stored data of varying vintage. Therefore, the first step for many of them to begin complying with the Bill will be to understand what data they hold, what they do with it, and whether the need to continue to hold and process this data.
While the current form of the Bill is by no means certain to be final and both exemptions and rules several key provisions will be notified post its enactment, it is clear that the Bill will require businesses to rethink how they evaluate, collect, protect, and value data.
They will now need to ensure they have reasonable standards and compliances, and potentially, obtain certification, and adopt technical and organisational measures. Under the Bill, fiduciaries are also required to notify personal data breaches to both the Board and the affected individual. This will mean that they need to engage with a vocal and empowered new stakeholder.
In deal-making, the significant penalties for non-compliance and the threat of business disruption will mean that storing and protecting data will become more expensive and that acquirers will be more sensitive about “toxic” data assets which may result in fines on the acquirer, as has been the case internationally.
All in all, the Bill represents a unique, Indian approach to a modern data protection regime which has benefitted significantly from the extensive consultation process.
While its provisions are less prescriptive than some standards like the EU’s GDPR, it will mean a significant shift in current “state of the art” and indeed usher a new dawn for privacy and data protection in India.
The writers are sespectively, managing partner, and partner, Cyril Amarchand Mangaldas